2 Answers
2

Most databases do not allow you to just insert data using SQL Injection (Unless of course you are already in an insert query and even then you usually can't control the table name). You can't simply stack queries, that is only allowed in Microsoft SQL Server, PostgreSQL and comic books. You can use a sub-select or union select to access data from another table, and SQLMap is doing this behind the scenes.

SQLMap's real strength is in data exfiltration. If you want something more complex, like a multi-staged attack that gives you a shell, then you need to write an exploit. Take off the training wheels and be man (or woman).

some web application technologies do not support stacked queries on
specic database management systems. For instance, PHP does not
support stacked queries when the back-end DBMS is MySQL, but it does
support when the back-end DBMS is PostgreSQL.